amazonka-kms-1.4.5: Amazon Key Management Service SDK.

Copyright(c) 2013-2016 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone
LanguageHaskell2010

Network.AWS.KMS.GenerateDataKeyWithoutPlaintext

Contents

Description

Returns a data encryption key encrypted under a customer master key (CMK). This operation is identical to GenerateDataKey but returns only the encrypted copy of the data key.

This operation is useful in a system that has multiple components with different degrees of trust. For example, consider a system that stores encrypted data in containers. Each container stores the encrypted data and an encrypted copy of the data key. One component of the system, called the control plane , creates new containers. When it creates a new container, it uses this operation (GenerateDataKeyWithoutPlaintext ) to get an encrypted data key and then stores it in the container. Later, a different component of the system, called the data plane , puts encrypted data into the containers. To do this, it passes the encrypted data key to the Decrypt operation, then uses the returned plaintext data key to encrypt data, and finally stores the encrypted data in the container. In this system, the control plane never sees the plaintext data key.

Synopsis

Creating a Request

generateDataKeyWithoutPlaintext Source #

Arguments

:: Text

gdkwpKeyId

-> GenerateDataKeyWithoutPlaintext 

Creates a value of GenerateDataKeyWithoutPlaintext with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

  • gdkwpKeySpec - The length of the data encryption key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.
  • gdkwpEncryptionContext - A set of key-value pairs that represents additional authenticated data. For more information, see Encryption Context in the AWS Key Management Service Developer Guide .
  • gdkwpNumberOfBytes - The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), we recommend that you use the KeySpec field instead of this one.
  • gdkwpGrantTokens - A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .
  • gdkwpKeyId - The identifier of the CMK under which to generate and encrypt the data encryption key. A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK, or the alias name or ARN of an alias that points to the CMK. Examples: * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * CMK ARN: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab * Alias name: alias/ExampleAlias * Alias ARN: arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

data GenerateDataKeyWithoutPlaintext Source #

See: generateDataKeyWithoutPlaintext smart constructor.

Instances

Eq GenerateDataKeyWithoutPlaintext Source # 
Data GenerateDataKeyWithoutPlaintext Source # 

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> GenerateDataKeyWithoutPlaintext -> c GenerateDataKeyWithoutPlaintext #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c GenerateDataKeyWithoutPlaintext #

toConstr :: GenerateDataKeyWithoutPlaintext -> Constr #

dataTypeOf :: GenerateDataKeyWithoutPlaintext -> DataType #

dataCast1 :: Typeable (* -> *) t => (forall d. Data d => c (t d)) -> Maybe (c GenerateDataKeyWithoutPlaintext) #

dataCast2 :: Typeable (* -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c GenerateDataKeyWithoutPlaintext) #

gmapT :: (forall b. Data b => b -> b) -> GenerateDataKeyWithoutPlaintext -> GenerateDataKeyWithoutPlaintext #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> GenerateDataKeyWithoutPlaintext -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> GenerateDataKeyWithoutPlaintext -> r #

gmapQ :: (forall d. Data d => d -> u) -> GenerateDataKeyWithoutPlaintext -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> GenerateDataKeyWithoutPlaintext -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintext -> m GenerateDataKeyWithoutPlaintext #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintext -> m GenerateDataKeyWithoutPlaintext #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintext -> m GenerateDataKeyWithoutPlaintext #

Read GenerateDataKeyWithoutPlaintext Source # 
Show GenerateDataKeyWithoutPlaintext Source # 
Generic GenerateDataKeyWithoutPlaintext Source # 
Hashable GenerateDataKeyWithoutPlaintext Source # 
ToJSON GenerateDataKeyWithoutPlaintext Source # 
NFData GenerateDataKeyWithoutPlaintext Source # 
AWSRequest GenerateDataKeyWithoutPlaintext Source # 
ToPath GenerateDataKeyWithoutPlaintext Source # 
ToHeaders GenerateDataKeyWithoutPlaintext Source # 
ToQuery GenerateDataKeyWithoutPlaintext Source # 
type Rep GenerateDataKeyWithoutPlaintext Source # 
type Rep GenerateDataKeyWithoutPlaintext = D1 (MetaData "GenerateDataKeyWithoutPlaintext" "Network.AWS.KMS.GenerateDataKeyWithoutPlaintext" "amazonka-kms-1.4.5-2CcuwPQYK1JBjEgZ8528Xg" False) (C1 (MetaCons "GenerateDataKeyWithoutPlaintext'" PrefixI True) ((:*:) ((:*:) (S1 (MetaSel (Just Symbol "_gdkwpKeySpec") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe DataKeySpec))) (S1 (MetaSel (Just Symbol "_gdkwpEncryptionContext") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe (Map Text Text))))) ((:*:) (S1 (MetaSel (Just Symbol "_gdkwpNumberOfBytes") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Nat))) ((:*:) (S1 (MetaSel (Just Symbol "_gdkwpGrantTokens") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe [Text]))) (S1 (MetaSel (Just Symbol "_gdkwpKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 Text))))))
type Rs GenerateDataKeyWithoutPlaintext Source # 

Request Lenses

gdkwpKeySpec :: Lens' GenerateDataKeyWithoutPlaintext (Maybe DataKeySpec) Source #

The length of the data encryption key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

gdkwpEncryptionContext :: Lens' GenerateDataKeyWithoutPlaintext (HashMap Text Text) Source #

A set of key-value pairs that represents additional authenticated data. For more information, see Encryption Context in the AWS Key Management Service Developer Guide .

gdkwpNumberOfBytes :: Lens' GenerateDataKeyWithoutPlaintext (Maybe Natural) Source #

The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), we recommend that you use the KeySpec field instead of this one.

gdkwpGrantTokens :: Lens' GenerateDataKeyWithoutPlaintext [Text] Source #

A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .

gdkwpKeyId :: Lens' GenerateDataKeyWithoutPlaintext Text Source #

The identifier of the CMK under which to generate and encrypt the data encryption key. A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK, or the alias name or ARN of an alias that points to the CMK. Examples: * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * CMK ARN: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab * Alias name: alias/ExampleAlias * Alias ARN: arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

Destructuring the Response

generateDataKeyWithoutPlaintextResponse Source #

Arguments

:: Int

gdkwprsResponseStatus

-> GenerateDataKeyWithoutPlaintextResponse 

Creates a value of GenerateDataKeyWithoutPlaintextResponse with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

  • gdkwprsKeyId - The identifier of the CMK under which the data encryption key was generated and encrypted.
  • gdkwprsCiphertextBlob - The encrypted data encryption key.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.
  • gdkwprsResponseStatus - -- | The response status code.

data GenerateDataKeyWithoutPlaintextResponse Source #

See: generateDataKeyWithoutPlaintextResponse smart constructor.

Instances

Eq GenerateDataKeyWithoutPlaintextResponse Source # 
Data GenerateDataKeyWithoutPlaintextResponse Source # 

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> GenerateDataKeyWithoutPlaintextResponse -> c GenerateDataKeyWithoutPlaintextResponse #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c GenerateDataKeyWithoutPlaintextResponse #

toConstr :: GenerateDataKeyWithoutPlaintextResponse -> Constr #

dataTypeOf :: GenerateDataKeyWithoutPlaintextResponse -> DataType #

dataCast1 :: Typeable (* -> *) t => (forall d. Data d => c (t d)) -> Maybe (c GenerateDataKeyWithoutPlaintextResponse) #

dataCast2 :: Typeable (* -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c GenerateDataKeyWithoutPlaintextResponse) #

gmapT :: (forall b. Data b => b -> b) -> GenerateDataKeyWithoutPlaintextResponse -> GenerateDataKeyWithoutPlaintextResponse #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> GenerateDataKeyWithoutPlaintextResponse -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> GenerateDataKeyWithoutPlaintextResponse -> r #

gmapQ :: (forall d. Data d => d -> u) -> GenerateDataKeyWithoutPlaintextResponse -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> GenerateDataKeyWithoutPlaintextResponse -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintextResponse -> m GenerateDataKeyWithoutPlaintextResponse #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintextResponse -> m GenerateDataKeyWithoutPlaintextResponse #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> GenerateDataKeyWithoutPlaintextResponse -> m GenerateDataKeyWithoutPlaintextResponse #

Read GenerateDataKeyWithoutPlaintextResponse Source # 
Show GenerateDataKeyWithoutPlaintextResponse Source # 
Generic GenerateDataKeyWithoutPlaintextResponse Source # 
NFData GenerateDataKeyWithoutPlaintextResponse Source # 
type Rep GenerateDataKeyWithoutPlaintextResponse Source # 
type Rep GenerateDataKeyWithoutPlaintextResponse = D1 (MetaData "GenerateDataKeyWithoutPlaintextResponse" "Network.AWS.KMS.GenerateDataKeyWithoutPlaintext" "amazonka-kms-1.4.5-2CcuwPQYK1JBjEgZ8528Xg" False) (C1 (MetaCons "GenerateDataKeyWithoutPlaintextResponse'" PrefixI True) ((:*:) (S1 (MetaSel (Just Symbol "_gdkwprsKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Text))) ((:*:) (S1 (MetaSel (Just Symbol "_gdkwprsCiphertextBlob") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Base64))) (S1 (MetaSel (Just Symbol "_gdkwprsResponseStatus") NoSourceUnpackedness SourceStrict DecidedUnpack) (Rec0 Int)))))

Response Lenses

gdkwprsKeyId :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe Text) Source #

The identifier of the CMK under which the data encryption key was generated and encrypted.

gdkwprsCiphertextBlob :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe ByteString) Source #

The encrypted data encryption key.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

gdkwprsResponseStatus :: Lens' GenerateDataKeyWithoutPlaintextResponse Int Source #

  • - | The response status code.